Windows 2000 & Windows NT 4 Source Code Leaks

PeterHammer writes "Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet. More on this as we hear it."

it's true

[sperling]

A quick peek around indeed shows something named Windows.Source.Code.w2k.nt4.wxp.tar circulating, but this had to happen sooner or later, considering the number of institutions [microsoft.com] with access to the source. Wonder how long it'll take before a torrent of new worms using newly discovered security holes tear up the net.

I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.

So much for security through obscurity

[Anonymous Coward]

This pretty much destroy's any argument that Windows is more secure because "the bad guys" can't look at the source code. And yet it won't get the positive aspect of "the good guys" reviewing the source code for bugs as it is illegal to make a copy of the code without a license to do so.

Re:So much for security through obscurity

[Anonymous Coward]

Just remember, eEye doesn't have access to the code and they have been sitting on exploits for months.

Source helps, but it isn't everything.

Does anyone else just get a tingly feeling seeing this article sitting on top of an article on Open Source being less secure because of it's openness?

Re:It's a TRAP!!! /Adm. Ackbar

[Via_Patrino]

What about the opposite:
Is there GPL code there?
Ask an auditing company to
diff NT4 2000 | grep -e yourcode
and get an answer.

I don't think they're playing SCO if they released just a part of it maybe but not the whole thing

Re:So much for security through obscurity

[Monkelectric]

Could this be a ploy to spur Win2k+3 updates? Blame the hackers for making win2k insecure. Oops you gotta upgrade now, sorry,

Re:So much for security through obscurity

[Dr Caleb]

So, when do you figure SCO will find their intellectual property in it?

Re:So much for security through obscurity

[CaptBubba]

Windows XP is based on the Win2k kernel IIRC. Assuming that code is part of what got leaked everything after Windows ME could be in for a world of hurt.

Re:it's true

[Anonymous Coward]

I wonder how long till hackers go in and fix some of the bugs. That's the real danger to microsoft, if the bugs were fixed people wouldn't have to upgrade.

Re:it's true

[Strudelkugel]

Seems a bit of a stretch to thing 'soft would have given all of these organizations the complete source tree. If they did, then I am far more amazed the source wasn't leaked a long time ago. It's a bit hard to believe 'soft licensed the entire build tree to anyone.

Makes a pretty good headline, though.

Re:it's true

[Zork the Almighty]

I'm a little curious as to why you seem so uncomfortable saying "Micro". Actually, scratch that. I don't want to know.

:: prediction ::

[macshune]

Just imagine the FUD/lawsuits/etc when, for some reason, Linux starts running on natively on NTFS.

MS giving source code to countries

[xandroid]

I seem to remember reading that Microsoft gave China access to the entire source code, after the country mentioned that it was leaning more towards using Linux for government-related things, because the entire source code was open for inspection.

Re:it's true

[MenTaLguY]

I for one would love to peek around in this, more out of curiosity than any desire to actually do something useful with it.

I hope you weren't planning on ever contributing to any Open Source projects after doing that. If it's later demonstrated that you had access to the W2K source and contributed vaguely similar code (even by accident) to a project, it could have severe repercussions for that project.

I doubt Microsoft would leak it deliberately, but this does open the door to a whole SCO-esque can of worms from now on.

Re:it's true

[sperling]

And that's exactly why I won't even consider downloading this. I make a living as a programmer, and if I have access to this source Microsoft, with the resources they posess, could make the rest of my professional life a nightmare.
As much as I'd love to peek around in this, I won't risk it.

Re:it's true

[Anonymous Coward]

And that, more than anything else, is why this code leak helps the black hats far more than the white hats.

MOD PARENT UP

[nickos]

For the same reasons that Microsoft warned its IE developers to stay clear of Mozilla, open source coders should avoid even seeing this.

That said, I'd love to get hold of the dll code that does the equivalent of a window manager in X. How cool would it be to swap out a dll on the Windows box at work and have a completely custom windowing environment?

Re:MOD PARENT UP

[jason0000042]

www.litestep.net, or litestep.com. Works pretty good too.

Re:it's true

[El]

So, if any Micro$oft employees have ever looked at Linux kernel source, they are no longer allowed to work on Windows 'cause now they are tainted? Either the sword cuts both ways, or not at all.

Re:it's true

[weileong]

Either the sword cuts both ways

You're assuming the law will be applied fairly and evenly.

Re:it's true

[LinuxGeek]

So, if any Micro$oft employees have ever looked at Linux kernel source, they are no longer allowed to work on Windows 'cause now they are tainted? Either the sword cuts both ways, or not at all.

In Microsoft's closed source world it would have been tough to know if someone had included code that was similar to something they had seen in the Linux ( or any other opensource) codetree. It will be interesting, if this windows code release (escape?) proves true, if any suspicious code is found.

Oh, no! I Looked!

[ackthpt]

10 * BEGIN
100 GOSUB 7000 ; * Load stuff
110 GOSUB 900 ; * Show windows logo
120 GOSUB 20000 ; * Prompt for operator login
130 GOSUB 32000 ; * Fill half of memory with DLL's
140 GOSUB 16000 ; * Time waster loop
.
.
.

SCO Code in Win2000

[Anonymous Coward]

Imagine if somewhere hidden in the bowels of the Windows2000 source an intrepid SCO intern finds a sliver of SCO-owned Unix code. Then all hell would break loose...

That is a MYTH

[FreeUser]

I hope you weren't planning on ever contributing to any Open Source projects after doing that. If it's later demonstrated that you had access to the W2K source and contributed vaguely similar code (even by accident) to a project, it could have severe repercussions for that project.

IANAL but I do read Groklaw, and from what I understand copyright restricts the act of copying (duplicating). You can study someone's implimentation of something as much as you like, then go impliment something similiar yourself. As long as you do not copy the code verbatim you are not in violation of copyright law.

Otherwise, no student would be able to code having once looked at examples in a text book ... the textbook author would own all of your code.

The problem is, of course, proving one implimented the code oneself and did not in fact crib the whole thing from someone elses code, and the greater the similiarity (for code of sufficient complexity ... trivial code will generally be similiar regardless) the more difficult that is.

In any event, it is a myth that, simply by looking at, or even studying, one set of code one is somehow "tainted" and unable to contribute to another, competing project, be it free or proprietary. To violate copyright law one must copy, not just receive inspiration from.

The dirty room and the clean room

[tepples]

As long as you do not copy the code verbatim you are not in violation of copyright law.

Copying of nonliteral elements is actionable infringement. That's why many reverse engineering firms have two separate teams: one to describe a piece of copyrighted code and another to implement it.

In any event, it is a myth that, simply by looking at, or even studying, one set of code one is somehow "tainted" and unable to contribute to another, competing project, be it free or proprietary. To violate copyright law one must copy, not just receive inspiration from.

Try telling that to the estate of George Harrison, who lost in Bright Tunes v. Harrisongs. It's possible to copy without knowing you're copying, and it's still infringement.

Re:That is a MYTH

[Bootsy Collins]

> I hope you weren't planning on ever contributing
> to any Open Source projects after doing that. If
> it's later demonstrated that you had access to
> the W2K source and contributed vaguely similar
> code (even by accident) to a project, it could
> have severe repercussions for that project.

IANAL but I do read Groklaw, and from what I understand copyright restricts the act of copying (duplicating). You can study someone's implimentation of something as much as you like, then go impliment something similiar yourself. As long as you do not copy the code verbatim you are not in violation of copyright law.

What you're saying about copyright is correct; but that probably isn't what MS would come after you (and your open source project) for. It'd be patent and trade secret violations.

That said, I don't know whether the unauthorized release of code would invalidate subsequent trade secret claims. On one hand, it seems crazy to lose trade secret protections because of an illegal or unauthorized act; OTOH, it seems crazy to call something a secret that, well, isn't. Maybe someone who is a lawyer can discuss.

Re:That is a MYTH

[AKAImBatman]

The idea of being "tainted" is actually from licenses that have "trade secret" clauses. Once you sign a license like that, you *are* tainted. That being said, it's a very difficult clause to enforce. Contracts that prevent someone from working in the field for which they are educated and experienced have often been found unenforceable by courts.

(IANAL and this is not legal advice. Go talk to PJ. At least she's a paralegal.)

Re:That is a MYTH

[Derek]

"IANAL but I do read Groklaw"

It was only a matter of time before people started saying this....

-Derek

Re:it's true

[Marillion]

Sure the source code will make it easier to find exploits, but I've believed for a few years that "institutional hackers" those who have long ago reversed compiled Windows into something suitable for writting worms. How else does the Code Red author decide, "Hey! I found this buffer overflow routine in the unicode support for URLs in the IIS Indexing Server"?

There are probably paranoid governments who have teams who do this just this kind of work just to make sure those fabled NSA back doors in either are or aren't windows.

That leads to a fascinating question

[way2trivial]

Are there any back doors showing in the source...

Re:it's true

[uradu]

> I for one would love to peek around in this, more out of curiosity

Morbid curiosity perhaps. Considering the amount of backward compatibility in there, and the generations of tools and code frameworks used over the past decade and longer, I would expect the Windows code to be a BLOODY MESS. In fact it would probably be amusing to just grep for comments--"what does the next line do?!" or "what the h3ll were we thinking?!"

Re:it's true

[caluml]

fw calum $ grep -ir " shit " /usr/src/linux/* | wc -l
15
fw calum $ grep -ir " fuck" /usr/src/linux/* | wc -l
40
fw calum $ grep -ir " crap" /usr/src/linux/* | wc -l
98

Should I have been doing this on the company firewall? Probably not.

Interesting Neowin comment

[bonch]

"#43 Posted by psneddon on 13 Feb 2004 - 01:09
Just my opinion / thoughts.

1) The software that builds and compiles Windows is very complex I doubt anyone could turn the source into a working system easily. Maybee it would be possible to compile certain parts. Plus even if you could it would take hours if not days to go through the process.

2) I don't see how this will let anyone find any obvious flaws, microsoft have software that does this all the time. I'm not saying its not a security risk but its not as simple as the journalists make out - as always.

3) This exact same scare happened about 7 years ago, I remember they were selling the source to NT4 at a local market on CD, doubt it was the real source code."

this could be really bad

[G27 Radio]

The Windows code hasn't had nearly as much peer review as open source OS's so I won't be suprised if this leads to a ton of exploits. The big problem here is that this source will be available to any black-hat that wants it--they obviously aren't going to be concerned about the legalities of obtaining leaked source code. But the businesses that use Windows aren't going to be able to audit the code for security leaks unless they obtain it illegally (or sign some agreements with Microsoft and shell out bundles of cash.)

Re:this could be really bad

[cmowire]

That is exactly my thoughts.

The interesting part is the difference between Win2k and Linux. In both cases now, the black hats have access to the source code. However, there are more white hats who have access to the Linux codebase, which will make for some interesting long-term implications.

This also has the potential to solve the NSAKEY contriversy once and for all and provide some interesting insights into how Windows works. I'm wondering if, through the use of countries with more flexible copyright systems, it would be possible to document interesting attributes and then pass them back to WINE and other open-source folk.

Re:it's true

[Anonymous Coward]

It was a quiet nice evening couple years ago. Someone pointed me on IRC to 2 links on some unnamed (I won't tell) microsoft.com server. 2 huge .tar.gzs, totalling couple gigabytes. The Windows XP source code.

The links circulated very fast and the servers started slowing and slowing down and then they died. The first ones did manage to get all the stuff. I envied them because I managed to get only couple megabytes. :-(

It seemed real. Very real. Someone had broken into their development servers, stuffed the stuff to the web servers and escaped with it all.

There was some small mention about it on the Slashdot too but I couldn't find it right now. It seems the Microsoft was able to really sweep that one under the carpet. I wonder how.

There are people around with self compiled Windows XP copies, trust me. I envy them. I would gladly remove some features and tweak couple edges I am not now allowed to. Even though it would be a HUGE task.

So the now leaked source codes to NT/2k are mostly just boring and obsolete.

Re:it's true

[Zork the Almighty]

What the hell, it's just one big .vbs file!

Open Source

[The_Rippa]

Now will everyone stop bitching about Windows not being open source?!

New Licensing Model

[MADCOWbeserk]

GLL - General Leaked-Souce license

What, no GPFL?

[namespan]

I was expecting the General Protection Fault License.

Re:Open Source

[eyegor]

Actually, now Microsoft can pull a SCO and sue anyone who produces an OS with lots of security holes and cruft.

Re:Open Source

[Rosco P. Coltrane]

I'm surprised nobody has sent them patches to fix security issues yet...

Re:Open Source

[DarkBlackFox]

No, but how long will it be until Microsoft pulls an SCO and accuses open source of integrating MS code? If it is indeed true, and the code is floating around out there, and within a few weeks a miracle version of Wine is released which suddenly has 100% compatibility, what would MS's reaction be?

Server problems ALREADY...

[momerath2003]

"The server is too busy at the moment. Please try again later."

Later isn't going to work, since the server was down even before it hit the Slashdot front page. I empathize with their server.

I did, however, managed to grab the news blurb (but not the, at that point, 214 comments) from the intermittent front page:

Neowin has learned of shocking and potentially devastating news. It would appear that two packages are circulating on the internet, one being the source code to Windows 2000, and the other being the source code to Windows NT. At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them. Microsoft are currently unavailable for comment surrounding this leak so we have no official response from them at the time of writing.

This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.

We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.

Please do not post any links/screenshots/hints or anything to do with the source code outbreak. Discussion is allowed but we will not condone people spreading this source code.

Torrent, anyone? ;) (not like I would have any reason to want to have several lines of bug-infested code, as who knows to where the bugs might spread in my system)

Re:Server problems ALREADY...

[Mr. Piddle]

At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them.

How big are these files? I would expect the size of these tarballs to be comparable to Linux Kernel + GNOME + Mozilla + misc userland/bundled equivilents. If they are unexpectedly small (like less than a gig for W2K), then they are probably a hoax.

Re:Server problems ALREADY...

[LuxFX]

... that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.

Argh! Trying to get rid of images of naked NeoWin people thinking about ramifications....

my eyes must be getting old

[proj_2501]

whoa, i totally read that as "MOD PARENT UP SUPER FUNNY"

What now?

[Rosyna]

Are people deeply involved with OSS going to start fixing bugs in Win 2k? Might be fun and a dagger in MS's heart.

"We fix bugs in 24 to 40 hours, much faster than OSS."

Re:What now?

[Jim_Maryland]

Just to throw this out, what's the possibility that MS saw some similar routines in WINE and figured to shutdown the project by releasing some portions of the MS code that overlaps? They could essentially say that WINE must be based on MS proprietary code. Even with the code only publicly being leaked now, they could argue that copies may have been floating around for a while. Maybe they are taking some ideas from SCO on how to profit from the OSS community.

Re:Now? Improve emulators!

[harrkev]

Yup. And films should not be copyrighted because the film studios did not invent silver nitrate.

And CDs should not be copyrighted because they did not invent the photon used to read it.

If you take this to its logical extreme, any file is simply an extremely large digital number (millions of bits). How do you copyright a number? So it is then not possible to copyright ANY digital work.

What's the big deal?

[Fluk3]

There's plenty of worthless spam on the internet already.

For those that need more proof

[timdorr]

Full file listing with sizes: http://heim.ifi.uio.no/~mortehu/files.txt [ifi.uio.no] I suggest mirroring ;)

Re:For those that need more proof

[say]

What is this:

win2k/private/inet/urlmon/iapp/gnumakefile
win2 k/private/inet/urlmon/mon/gnumakefile
win2k/priva te/inet/xml/xml/tokenizer/parser/gnumak efile

(and so on - many, many instances)

on the other hand, a few funny files:
win2k/private/inet/xml/xml/tokenizer/dll/w ords of wisdom from dennis.eml
win2k/private/inet/xml/xml/dso/letter to children - 2.eml

and VERY interesting:
win2k/private/ntos/w32/ntuser/kernel /

Re:For those that need more proof

[PipianJ]

20475 07-26-00 03:06 win2k/private/windows/shell/games/sol/sol.c

AT LAST! The secret to beating Solitaire... This could perhaps be the most significant event of our times!

Maybe they will rethink Open Source...

[viper21]

Microsoft just needed a push in the right direction, right?

-S

One a related note

[ackthpt]

On a related note, Microsoft is reporting the number of bugs in Linux to have surged in recent weeks, thus proving Intellectual Property theft.

Seriously, the previous article [slashdot.org] lambasting open source for being vulnerable is nothing when compared to eyes backed with malicious intent poring over Windows source code for new exploits. So much for security through ignorance.

Fortune

[Tom Rothamel]

The funny thing is the fortune that appeared in the appropriate slashbox when I first saw this article.

"Never trust an operating system you don't have sources for. ;-)
-- Unknown source"

Mirror With Comments

[RPoet]

Mirror with comments [student.uib.no].

Hope it's all just a bluff.

Re:Mirror With Comments

[RichMan]

You have commented all that Microsoft code already. Holy Crap that is fast.

Code

[daeley]

...Windows 2000 and Windows NT source code has been leaked to the internet.

The Internet, however, being a polite sort of fellow and completely undesirous of the undoubtedly horrible ramifications of having such a beastie running around loose, gently replaced the source code and gave Windows a friendly pat on the head.

Do NOT read that code!

[AuMatar]

Do NOT read that code if you ever wish to program for an open source OS, ever. Doing so will make you tainted- you open the project up to allegations of copyright infringement. Unless you never want to contribute a single line to Linux, *BSD, etc, checking out that code is a bad idea. Its almost a surprise MS didn't "leak" Win 95 or 3.1 years ago to catch open source developers like this.

Re:Do NOT read that code!

[TekPolitik]

Do NOT read that code if you ever wish to program for an open source OS, ever...

Of course those of us who are also lawyers can safely read other peoples' code, because we know exactly what to do to avoid infringing. It is possible to extract knowledge from the code without breaching copyright, but...

Getting a copy of the code at all is a breach of copyright.

Re:Do NOT read that code!

[MenTaLguY]

that's like saying the beatles can sue every musician who ever listened to them for copyright infringement

I personally think it's a bad analogy, but even that isn't as far-fetched as you might think.

George Harrison (of Beatles fame) was succesfully sued for _subconsciously_ ripping off the song "He's So Fine" (in "My Sweet Lord"). See here [benedict.com] for more details.

So, no, I don't think worrying about IP contamination from looking at Windows source code is paranoid at all.

Re:Do NOT read that code!

[happyfrogcow]

The correct analogy is sampling large portions of a beatles song or performing your own rendition of it. If you try to record a beatles song and sell it, you had better pay the proper song royalties or you will get sued.

Yet if I learn to play guitar by among other things, listening to all of the Beatles songs and playing along, do the Beatles own the rights to any future song I write? Goddamn hell freakin no! How is that any different from learning things from viewing MS, or any other persons code?

I've learned to code by doing all sorts of things over the years. Among them, learning from coworkers code. Applying that knowledge at my current job doesn't make the propoerty of my current employer a derivitive work of my employer from 5 years ago, even though I had access to the source code of that previous job.

error.h

[sarice]

We all know the real valuable stuff is in error.h.
So, what does it say?

Not good

[savagedome]

This is not good. Windows is designed primarily with 'security by obscurity' in mind. The security holes indeed show up every often and we have worms making it to the gazillion windows boxes before the patch does. Get ready for a deluge of worms/virri. Another bad week/month for sysadmins.

If this is true...

[thesolo]

I haven't been able to even get to Neowin, it's been slashdotted since before this story even made it to "The Mysterious Future" here on /., but think about what this means if this is actually true. The potential vulnerabilities. All the trade secrets Microsoft put in there. Hell, IE 5 was released with Windows 2000, so if this is full source, it means IE 5 and the trident engine are in there as well.

If this is true, today may be the day that everything changes.

In other news...

[zellyn]

ReactOS [reactos.com] have announced they have hit all upcoming milestones and consider their project "feature complete".

The comparator

[fava]

I wonder how long it will be until someone runs the comparator in it?

Here's the source

[FattMattP]

I found the source code here. [demon.co.uk]

tin foil hat

[wildcard023]

Ok so here's MS's plan.

Step 1) Leak their source
Step 2) Sue Onen Source developers down the road because obviously they have studied the MS leaked source.
Step 3) ... Ya, I'm sure you know what goes here.

Ok but seriously, I'm not touching it. The last thing I need is Microsoft saying that I somehow owe something to them.

Jerks.

--
Mike

Now W. Russell Jones can put his story to the test

[ThogScully]

In the last article on the /. home page, we have W. Russell Jones talking about all the insecurity of having source available in open source projects.

I'm afraid we've reach a massive failure here in security by obscurity, but time will tell. If this is true and if there are lots of security holes discovered, I find it hard to believe even a company of Microsoft's size can respond quickly enough to keep the outbreaks down. This threat is why open source is better than what W. Russell Jones made it out to be. The threat of security failing because of leaking source just isn't there with open source.
-N

What's the big deal?

[Animats]

What the NT kernel does is well understood. The object code is widely available, and key parts, like file system formats, have been reverse engineered. There's plenty of documentation. A few major development shops have access to the source anyway. If you're into kernel architecture, it might be interesting, but otherwise, so what?

Why ofcourse!

[Soul-Burn666]

It's only reasonable that software with so many holes will leak!

It's not a problem.

[ggruschow]

I've seen a fair chunk of the NT kernel code, legally, under NDA. The NDA bars me from revealing any details, but it doesn't prevent me from saying that, if I were MS, I wouldn't worry about anything aside from sheer embarassment.. However, I have to admit that getting something of that hulking size operating solidly is pretty respectable.

On the plus side, some of the comments are fairly humorous, especially when you note who wrote them and look up where they are today.

Someone PLEASE...

[RyanFenton]

As someone mentioned, this would be fascinating to just read the comments. Would it be possible for someone to strip out all the code, leaving only the comments for each file, minus comment lines that ARE code? It would be GREAT just to read the "intention" and "questions" living in that code and be able to associate each with a filename. Purely for entertainment value. It would also be neat to compare comment-to-code ratio in areas of MS code. :^)

Ryan Fenton

So...

[El]

My question is, has anybody managed to get this steaming pile of manure to compile? Seems like one would need to do that and then compare the binaries (ignoring any timestamping) before assuming this is authentic.

Here's some of it....

[C A S S I E L]

Neowin.net is reporting that Windows 2000 and Windows NT source code has been leaked to the internet.

The server is currently slashdotted, but I managed to download the first few lines of the Windows 2000 codebase. Here they are:

10 REM Windows 2000 Operating System
20 REM (C) Microsoft Corporation
30 REM Note: TO DO: fix up security stuff
40 REM :
50 REM :wq
60 REM exit^M^M quit ^C

Pffft...

[TheSpoom]

The Win2K Source [baltimoremd.com] was released a while ago.

Mirror: An Insightful comment from Neowin

[metroid composite]

#1.3 Reply by cowabunga on 13 Feb 2004 - 02:16

About when is it time to buy som Microsoft stock? In an hour when it plummets and then sell tomorrow when its back up after they find out its all bull

Maybe someone trying to make some money this way or MS is agressivly pushing their customers over to XP

Worth mirroring I thought.

ANONYMOUS DONOR CONTRIBUTES TO WINE

[Anonymous Coward]

WINEHQ: Early today, a developer who wished to remain anonymous contribued an astonishing amount of source code to the WINE project. Some initial testing performed by WINE core developers revealed that WINE's compatibility with Microsoft Windows applications releasted for Windows NT and Windows 2000 had perfect compatibility, even down to some annoying and well-known bugs that have plagued certain Microsoft DLLs distributed with Microsoft's operating systems.

"This will really make it possible for non-Windows users to run more applications than ever using WINE on alternate operating systems like Linux," said one develper we spoke with. ;)

Irony of ironies....

[bobdotorg]

I would be the most poetically ironic event ever if it turns out that it was a MS Win security hole that allowed a hacker to enter a server and steal the code.

Doubly ironic if it was a hole that MS has known about for months and not bothered to patch.

Triply ironic if someone finds said hole, patches it, and ships patched source back to MS.

Code leaks not new

[Jim Hall]

Code leaks from Microsoft are not new. Check this article [cioupdate.com] at CIO Update about a code leak a year ago: (emphasis mine)

Microsoft Corp. said it is tracing a key piece of code from its Windows Server 2003 software that was leaked onto the Internet, triggering concerns about piracy problems ahead of the company's scheduled product release later this month. The volume-licensing key in question allows for unlimited installations of Microsoft's Windows Server 2003 server operating system, the next upgrade from Windows NT that is slated for release on April 24.

However, this seems only to be a partial leak, not comparable to this complete (if it's real) source code leak.

Seen it - nothing spectacular

[Anonymous Coward]

Blimey. We got wind of this around lunchtime GMT, and within half an hour two zip files mysteriously got downloaded to - ahem - servers some collegues and I have access to (no, I had no involvement in the download and have no idea of the source). We took a look, us being extremely sceptical of the claims, and ended up spending a few hours grepping the Win2K sources.

If this is a wind up, someone or people spent a long old time faking it. Microsoft notices and email addresses all over the place. They don't like the AIX compiler one little bit. Hardly any mention of Linux, GPL or GNU.

Actually quite a professional bunch of source files by all accounts. Appears to be using standard GNU Makefiles though. Yes, the 'f' word appears, as does the 's' word. Apparently Office 2k is broken in some respect that Win2k needed a tweak or some description.

Plenty of mentions of Internet Explorer, although I wouldn't like to say that we found 'IE' in the code, but then we aren't C experts at all. It does mention IE6 and Windows ME, so can't be all that old either. Does mention buffer overflows a fair bit, also plenty of 'hackhack' and 'bugbug' notes laying around.

In fact, nothing particularly spectacular found at all. We took a look, got bored, and went back to our normal work. Honest boss!

And no, we didn't try to compile it. We felt it was genuine enough though - not that we really cared. We did however note that if this lot is proven to be the real deal, Microsoft are going to be landed with one hell of a lot of security alerts for 2k/NT over the next six months.

Yours merely curious...

Re:Torrent?

[thelasttemptation]

I want a ebuild!

emerge win2000

Re:Torrent?

[Anonymous Coward]

You must either be new to Gentoo or new to Windows. It would most definately be:

ACCEPT_KEYWORDS="~x86" emerge win2000

Re:hmm seems a bit buggy

[fishbowl]

It *amazes* me that it hasn't been routine.

Windows source code is not some deep dark secret that is locked in a vault, only let out during builds for the product releases.

*MANY* people have access to the Windows source code. A number of people in my own university have it. There are strict licensing considerations, but when has that ever worked before? Surprisingly, none of the people with source access has ever pulled off the stunt where it's broadcasted. I have always wondered why.

Re:hmm seems a bit buggy

[jmorris42]

> It *amazes* me that it hasn't been routine.

Because most people are paranoid enough to assume M$ watermarks each distributed copy to allow them to trace it back to the point of release. But now they are giving copies to governments like China and folks there just don't really give a damn about western notions of copyrights.

Re:hmm seems a bit buggy

[zurab]

It *amazes* me that it hasn't been routine.

I agree. Remember, at the trial MS argued that opening or showing parts of Windows source code would be a threat to national security. Not long after that, they gave their source code to Russia, China, and many multi-national corporations and other organizations as part of their Shared Source initiative. Now, don't know where the source was leaked from, but 1 + 1 = ?

If in fact, this story is true, MS is riding against the wind here. It is feeling pressure from the Open Source while its security, software, and business models are based on keeping the source secret. If so, how long can they keep up?

Re:I'll believe it when I see it.

[rritterson]

While you may not have heard of Neowin before, they are actually quite well known and are often placed in those '100 essential sites' lists.

They focus primarily on windows tech, and have a knack for breaking stories about Windows- leaked builds of future versions, beta builds of service packs, etc. Whoever runs the site is well connected in Microsoft.

Re:I'll believe it when I see it.

[BrianCarlstrom]

Second point: The odds of getting one's hands on the full source to NT4/2K are slim to none--even most Microsoft folks couldn't do that. The code is probably scattered across multiple servers in Redmond, for starters, and you'd only be given access to the parts you needed to work with.

Microsoft gave a talk at usenix: Windows A Software Engineering Odyssey [usenix.org]

This slide [usenix.org] indicates the full source is 50gb and took a week to setup and 2 hours a day to update.

That implies to me that people could have the whole source but it would huge.

Slide 24 talks about their new perforce [perforce.com] based system that only takes 3 hours to setup and 5 minutes to update.

Re:I'll believe it when I see it.

[justsomebody]

Agreed, but you forget one thing about size. Source code has very good compression ration. Almost every time ratio is 10:1 or more which would mean 1-5 GB, and considering Fedora dvd image i'm downloading right now 3.7GB, well nothing special about the size.

The odds of getting the full source: experience.

[rufusdufus]

The odds of getting one's hands on the full source to NT4/2K are slim to none--even most Microsoft folks couldn't do that.

This is incorrect.

Its funny how people build up ideas in their heads about what its like in a large corporation, somehow like a hollywood movie with lots of people with dark shades and guns ala "The Net".

No, inside Microsoft is a lot more like "Office Space" and anybody with motivation could get the entire source with little trouble.

Re:So is this the beginning of something...

[webroach]

Sure it's illegal, but so have many things Microsoft has done.

I'm not sure that kind of justification really works. It also doesn't help the open source community, IMHO. I can't agree with the "let's sink to their level" philosophy.

Re:The shit will hit the fan + Mirror

[milgr]

Could this potentially help the WINE Project?

IANAL but I would avoid looking at the leaked code - especially if I was working on a project like wine. You wouldn't want wine to sued out of existence because it contains code derived from a proprietary, copywritten system.

Re:The shit will hit the fan + Mirror

[Lehk228]

Having the source you could do a cleanroom implementation of it, have a set of "dirty" developers read and describe the undocumented API's and another set write those API's from scratch

Re:Just don't use the code

[aoteoroa]

What ever you do, don't let the code influence your projects

You beat me to the punch. This code leak could be a very good thing for Microsoft, and a trap for the open source community. I doubt that Microsoft intentionally planted this snare but if any future open source project even vaguely resembles this leaked code I have no doubt that Microsoft will open their full arsenal of lawyers.

Re:Just don't use the code

[SkArcher]

Exactly

In fact if you are involved with an Open Source project (especially Kernel and Window Manager projects) I suggest you do everything possible to avoid seeing this code.

Accusations of Taint are undoubtedly going to spring up from this, and you would be better to be well clear.

I will confess to a certain curiosity as to what the results of a comparator test would be though.

Re:Just don't use the code

[acousticiris]

Yeah... I can see it now.
"Microsoft is suing end-users of Linux due to the discovery that the latest version of the kernel incorporated Windows 2000 code. The discovery of the code theft was made after someone at Microsoft plugged a USB scanner into a system running the latest Linux kernel and received the Blue Screen of Death."

Re:Just don't use the code

[cybermace5]

*** CONSPIRACY THEORY BEGIN ***

I remember someone on here, a while back during one of the SCO stories, wondered what would happen if Microsoft released the source code, but under such a devious license that contamination would be fatal to an open-source project.

Maybe someone at Microsoft thought that was a neat idea.

*** CONSPIRACY THEORY END ***

As far as looking at the code: the only real reason to examine it is to find new exploits. No developer is going to slave over that source in order to find bugs and repair them, since there is no legal way to do it.

Re:There is no evidence listed

[RealityMogul]

Breaking News:

A member of the Slashdot cult has admitted he has stolen the source code to Microsoft's Windows XP operating system. PickyH3D is the handle the low-karma hacker used when bragging of his accomplishment to the world. He has also issued a challenge to Microsoft's legal team with the statement that "there is no evidence". More on this as we hear it.